Conventional communication networks such as the Internet may be made up of several interconnected autonomous systems. An autonomous system is a network under administrative control of a single entity, such as a conventional Internet Service Provider, or ISP.
Certain topology and routing information is exchanged via routers at the edge of adjacent autonomous systems by means of the conventional BGP protocol. To send BGP information from one AS to another, a conventional TCP/IP connection is established between edge routers of each autonomous system and BGP information is exchanged over that connection. The TCP/IP connection uses an address that is “routable”, or reachable from any other autonomous system in the network. In contrast, for security reasons, routers in an autonomous system that are not on the edge of the autonomous system have addresses that are “unroutable”. An unroutable address is an address that can be accessed only from within an autonomous system, causing it to be more secure than routable addresses.
Devices with routable addresses are subject to attacks from unauthorized individuals. Thus, edge routers are subject to attack. One type of attack is to cause a buffer overflow that can then cause the device to execute code that communicates with the unauthorized individual's computer system. If the device has a routable IP address, it is subject to this type of attack and potentially others.
If a device has no routable IP address, but is in the same autonomous system as a device that does have a routable IP address, if the device that has a routable IP address will forward various messages to the devices with unroutable IP addresses, an unauthorized individual may set up a tunnel between the device with the unroutable IP address and the device with the routable IP address and send communications through the tunnel in order to take over the operation of the device with the unroutable IP address. Thus, any device that has a routable IP address can cause vulnerabilities in the other devices.
What is needed is a system and method that can communicate BGP information without exposing any devices that communicate BGP information, or the devices to which they are connected, to attack.